Analysis
-
max time kernel
145s -
max time network
141s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
26-09-2024 01:03
Behavioral task
behavioral1
Sample
2024-09-26_0ebb815bbd3f1b249d4a86d18e5f064b_darkside.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
2024-09-26_0ebb815bbd3f1b249d4a86d18e5f064b_darkside.exe
Resource
win10v2004-20240802-en
General
-
Target
2024-09-26_0ebb815bbd3f1b249d4a86d18e5f064b_darkside.exe
-
Size
147KB
-
MD5
0ebb815bbd3f1b249d4a86d18e5f064b
-
SHA1
474fea9f172a6d6857a133755953330ae802409b
-
SHA256
6fa257b42aa0e3323fbf6ca0026f331fe58447e22224d2f0ea8e533bd9eed096
-
SHA512
a427c4d7ed3d9565c9051801ea6d38ffbd293b2dee0ad54e71b573bfee5030de4c9ca7132373ce90a051201d1c01e07990a877c07e5ab6c73017140e580a24ba
-
SSDEEP
1536:8zICS4AAwczUUf8y8gvMH+1zGSNAojMP95D1xD4056A76O4xEwyamTS8GHViXqWB:zqJogYkcSNm9V7Drl7Z4q3S4XqWbJT
Malware Config
Extracted
C:\dZGlueXae.README.txt
Signatures
-
Renames multiple (182) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
D802.tmpdescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation D802.tmp -
Deletes itself 1 IoCs
Processes:
D802.tmppid process 4928 D802.tmp -
Executes dropped EXE 1 IoCs
Processes:
D802.tmppid process 4928 D802.tmp -
Drops desktop.ini file(s) 2 IoCs
Processes:
2024-09-26_0ebb815bbd3f1b249d4a86d18e5f064b_darkside.exedescription ioc process File opened for modification C:\$Recycle.Bin\S-1-5-21-1302416131-1437503476-2806442725-1000\desktop.ini 2024-09-26_0ebb815bbd3f1b249d4a86d18e5f064b_darkside.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-1302416131-1437503476-2806442725-1000\desktop.ini 2024-09-26_0ebb815bbd3f1b249d4a86d18e5f064b_darkside.exe -
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Drops file in System32 directory 4 IoCs
Processes:
splwow64.exeprintfilterpipelinesvc.exedescription ioc process File created C:\Windows\system32\spool\PRINTERS\00002.SPL splwow64.exe File created C:\Windows\system32\spool\PRINTERS\PPend0r9qpeulnip5mt2kadpeic.TMP printfilterpipelinesvc.exe File created C:\Windows\system32\spool\PRINTERS\PPh2ptpzoigu3fu9f68ojw07dic.TMP printfilterpipelinesvc.exe File created C:\Windows\system32\spool\PRINTERS\PP4fhgozmyo4dqrhw9ze7omx5_.TMP printfilterpipelinesvc.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
D802.tmppid process 4928 D802.tmp -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
2024-09-26_0ebb815bbd3f1b249d4a86d18e5f064b_darkside.exeD802.tmpcmd.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-09-26_0ebb815bbd3f1b249d4a86d18e5f064b_darkside.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language D802.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
ONENOTE.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString ONENOTE.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
ONENOTE.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU ONENOTE.EXE -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
2024-09-26_0ebb815bbd3f1b249d4a86d18e5f064b_darkside.exeONENOTE.EXEpid process 2128 2024-09-26_0ebb815bbd3f1b249d4a86d18e5f064b_darkside.exe 2128 2024-09-26_0ebb815bbd3f1b249d4a86d18e5f064b_darkside.exe 2128 2024-09-26_0ebb815bbd3f1b249d4a86d18e5f064b_darkside.exe 2128 2024-09-26_0ebb815bbd3f1b249d4a86d18e5f064b_darkside.exe 2128 2024-09-26_0ebb815bbd3f1b249d4a86d18e5f064b_darkside.exe 2128 2024-09-26_0ebb815bbd3f1b249d4a86d18e5f064b_darkside.exe 2128 2024-09-26_0ebb815bbd3f1b249d4a86d18e5f064b_darkside.exe 2128 2024-09-26_0ebb815bbd3f1b249d4a86d18e5f064b_darkside.exe 2128 2024-09-26_0ebb815bbd3f1b249d4a86d18e5f064b_darkside.exe 2128 2024-09-26_0ebb815bbd3f1b249d4a86d18e5f064b_darkside.exe 2128 2024-09-26_0ebb815bbd3f1b249d4a86d18e5f064b_darkside.exe 2128 2024-09-26_0ebb815bbd3f1b249d4a86d18e5f064b_darkside.exe 4760 ONENOTE.EXE 4760 ONENOTE.EXE -
Suspicious behavior: RenamesItself 26 IoCs
Processes:
D802.tmppid process 4928 D802.tmp 4928 D802.tmp 4928 D802.tmp 4928 D802.tmp 4928 D802.tmp 4928 D802.tmp 4928 D802.tmp 4928 D802.tmp 4928 D802.tmp 4928 D802.tmp 4928 D802.tmp 4928 D802.tmp 4928 D802.tmp 4928 D802.tmp 4928 D802.tmp 4928 D802.tmp 4928 D802.tmp 4928 D802.tmp 4928 D802.tmp 4928 D802.tmp 4928 D802.tmp 4928 D802.tmp 4928 D802.tmp 4928 D802.tmp 4928 D802.tmp 4928 D802.tmp -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
2024-09-26_0ebb815bbd3f1b249d4a86d18e5f064b_darkside.exedescription pid process Token: SeAssignPrimaryTokenPrivilege 2128 2024-09-26_0ebb815bbd3f1b249d4a86d18e5f064b_darkside.exe Token: SeBackupPrivilege 2128 2024-09-26_0ebb815bbd3f1b249d4a86d18e5f064b_darkside.exe Token: SeDebugPrivilege 2128 2024-09-26_0ebb815bbd3f1b249d4a86d18e5f064b_darkside.exe Token: 36 2128 2024-09-26_0ebb815bbd3f1b249d4a86d18e5f064b_darkside.exe Token: SeImpersonatePrivilege 2128 2024-09-26_0ebb815bbd3f1b249d4a86d18e5f064b_darkside.exe Token: SeIncBasePriorityPrivilege 2128 2024-09-26_0ebb815bbd3f1b249d4a86d18e5f064b_darkside.exe Token: SeIncreaseQuotaPrivilege 2128 2024-09-26_0ebb815bbd3f1b249d4a86d18e5f064b_darkside.exe Token: 33 2128 2024-09-26_0ebb815bbd3f1b249d4a86d18e5f064b_darkside.exe Token: SeManageVolumePrivilege 2128 2024-09-26_0ebb815bbd3f1b249d4a86d18e5f064b_darkside.exe Token: SeProfSingleProcessPrivilege 2128 2024-09-26_0ebb815bbd3f1b249d4a86d18e5f064b_darkside.exe Token: SeRestorePrivilege 2128 2024-09-26_0ebb815bbd3f1b249d4a86d18e5f064b_darkside.exe Token: SeSecurityPrivilege 2128 2024-09-26_0ebb815bbd3f1b249d4a86d18e5f064b_darkside.exe Token: SeSystemProfilePrivilege 2128 2024-09-26_0ebb815bbd3f1b249d4a86d18e5f064b_darkside.exe Token: SeTakeOwnershipPrivilege 2128 2024-09-26_0ebb815bbd3f1b249d4a86d18e5f064b_darkside.exe Token: SeShutdownPrivilege 2128 2024-09-26_0ebb815bbd3f1b249d4a86d18e5f064b_darkside.exe Token: SeDebugPrivilege 2128 2024-09-26_0ebb815bbd3f1b249d4a86d18e5f064b_darkside.exe Token: SeBackupPrivilege 2128 2024-09-26_0ebb815bbd3f1b249d4a86d18e5f064b_darkside.exe Token: SeBackupPrivilege 2128 2024-09-26_0ebb815bbd3f1b249d4a86d18e5f064b_darkside.exe Token: SeSecurityPrivilege 2128 2024-09-26_0ebb815bbd3f1b249d4a86d18e5f064b_darkside.exe Token: SeSecurityPrivilege 2128 2024-09-26_0ebb815bbd3f1b249d4a86d18e5f064b_darkside.exe Token: SeBackupPrivilege 2128 2024-09-26_0ebb815bbd3f1b249d4a86d18e5f064b_darkside.exe Token: SeBackupPrivilege 2128 2024-09-26_0ebb815bbd3f1b249d4a86d18e5f064b_darkside.exe Token: SeSecurityPrivilege 2128 2024-09-26_0ebb815bbd3f1b249d4a86d18e5f064b_darkside.exe Token: SeSecurityPrivilege 2128 2024-09-26_0ebb815bbd3f1b249d4a86d18e5f064b_darkside.exe Token: SeBackupPrivilege 2128 2024-09-26_0ebb815bbd3f1b249d4a86d18e5f064b_darkside.exe Token: SeBackupPrivilege 2128 2024-09-26_0ebb815bbd3f1b249d4a86d18e5f064b_darkside.exe Token: SeSecurityPrivilege 2128 2024-09-26_0ebb815bbd3f1b249d4a86d18e5f064b_darkside.exe Token: SeSecurityPrivilege 2128 2024-09-26_0ebb815bbd3f1b249d4a86d18e5f064b_darkside.exe Token: SeBackupPrivilege 2128 2024-09-26_0ebb815bbd3f1b249d4a86d18e5f064b_darkside.exe Token: SeBackupPrivilege 2128 2024-09-26_0ebb815bbd3f1b249d4a86d18e5f064b_darkside.exe Token: SeSecurityPrivilege 2128 2024-09-26_0ebb815bbd3f1b249d4a86d18e5f064b_darkside.exe Token: SeSecurityPrivilege 2128 2024-09-26_0ebb815bbd3f1b249d4a86d18e5f064b_darkside.exe Token: SeBackupPrivilege 2128 2024-09-26_0ebb815bbd3f1b249d4a86d18e5f064b_darkside.exe Token: SeBackupPrivilege 2128 2024-09-26_0ebb815bbd3f1b249d4a86d18e5f064b_darkside.exe Token: SeSecurityPrivilege 2128 2024-09-26_0ebb815bbd3f1b249d4a86d18e5f064b_darkside.exe Token: SeSecurityPrivilege 2128 2024-09-26_0ebb815bbd3f1b249d4a86d18e5f064b_darkside.exe Token: SeBackupPrivilege 2128 2024-09-26_0ebb815bbd3f1b249d4a86d18e5f064b_darkside.exe Token: SeBackupPrivilege 2128 2024-09-26_0ebb815bbd3f1b249d4a86d18e5f064b_darkside.exe Token: SeSecurityPrivilege 2128 2024-09-26_0ebb815bbd3f1b249d4a86d18e5f064b_darkside.exe Token: SeSecurityPrivilege 2128 2024-09-26_0ebb815bbd3f1b249d4a86d18e5f064b_darkside.exe Token: SeBackupPrivilege 2128 2024-09-26_0ebb815bbd3f1b249d4a86d18e5f064b_darkside.exe Token: SeBackupPrivilege 2128 2024-09-26_0ebb815bbd3f1b249d4a86d18e5f064b_darkside.exe Token: SeSecurityPrivilege 2128 2024-09-26_0ebb815bbd3f1b249d4a86d18e5f064b_darkside.exe Token: SeSecurityPrivilege 2128 2024-09-26_0ebb815bbd3f1b249d4a86d18e5f064b_darkside.exe Token: SeBackupPrivilege 2128 2024-09-26_0ebb815bbd3f1b249d4a86d18e5f064b_darkside.exe Token: SeBackupPrivilege 2128 2024-09-26_0ebb815bbd3f1b249d4a86d18e5f064b_darkside.exe Token: SeSecurityPrivilege 2128 2024-09-26_0ebb815bbd3f1b249d4a86d18e5f064b_darkside.exe Token: SeSecurityPrivilege 2128 2024-09-26_0ebb815bbd3f1b249d4a86d18e5f064b_darkside.exe Token: SeBackupPrivilege 2128 2024-09-26_0ebb815bbd3f1b249d4a86d18e5f064b_darkside.exe Token: SeBackupPrivilege 2128 2024-09-26_0ebb815bbd3f1b249d4a86d18e5f064b_darkside.exe Token: SeSecurityPrivilege 2128 2024-09-26_0ebb815bbd3f1b249d4a86d18e5f064b_darkside.exe Token: SeSecurityPrivilege 2128 2024-09-26_0ebb815bbd3f1b249d4a86d18e5f064b_darkside.exe Token: SeBackupPrivilege 2128 2024-09-26_0ebb815bbd3f1b249d4a86d18e5f064b_darkside.exe Token: SeBackupPrivilege 2128 2024-09-26_0ebb815bbd3f1b249d4a86d18e5f064b_darkside.exe Token: SeSecurityPrivilege 2128 2024-09-26_0ebb815bbd3f1b249d4a86d18e5f064b_darkside.exe Token: SeSecurityPrivilege 2128 2024-09-26_0ebb815bbd3f1b249d4a86d18e5f064b_darkside.exe Token: SeBackupPrivilege 2128 2024-09-26_0ebb815bbd3f1b249d4a86d18e5f064b_darkside.exe Token: SeBackupPrivilege 2128 2024-09-26_0ebb815bbd3f1b249d4a86d18e5f064b_darkside.exe Token: SeSecurityPrivilege 2128 2024-09-26_0ebb815bbd3f1b249d4a86d18e5f064b_darkside.exe Token: SeSecurityPrivilege 2128 2024-09-26_0ebb815bbd3f1b249d4a86d18e5f064b_darkside.exe Token: SeBackupPrivilege 2128 2024-09-26_0ebb815bbd3f1b249d4a86d18e5f064b_darkside.exe Token: SeBackupPrivilege 2128 2024-09-26_0ebb815bbd3f1b249d4a86d18e5f064b_darkside.exe Token: SeSecurityPrivilege 2128 2024-09-26_0ebb815bbd3f1b249d4a86d18e5f064b_darkside.exe Token: SeSecurityPrivilege 2128 2024-09-26_0ebb815bbd3f1b249d4a86d18e5f064b_darkside.exe -
Suspicious use of SetWindowsHookEx 13 IoCs
Processes:
ONENOTE.EXEpid process 4760 ONENOTE.EXE 4760 ONENOTE.EXE 4760 ONENOTE.EXE 4760 ONENOTE.EXE 4760 ONENOTE.EXE 4760 ONENOTE.EXE 4760 ONENOTE.EXE 4760 ONENOTE.EXE 4760 ONENOTE.EXE 4760 ONENOTE.EXE 4760 ONENOTE.EXE 4760 ONENOTE.EXE 4760 ONENOTE.EXE -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
2024-09-26_0ebb815bbd3f1b249d4a86d18e5f064b_darkside.exeprintfilterpipelinesvc.exeD802.tmpdescription pid process target process PID 2128 wrote to memory of 4504 2128 2024-09-26_0ebb815bbd3f1b249d4a86d18e5f064b_darkside.exe splwow64.exe PID 2128 wrote to memory of 4504 2128 2024-09-26_0ebb815bbd3f1b249d4a86d18e5f064b_darkside.exe splwow64.exe PID 3832 wrote to memory of 4760 3832 printfilterpipelinesvc.exe ONENOTE.EXE PID 3832 wrote to memory of 4760 3832 printfilterpipelinesvc.exe ONENOTE.EXE PID 2128 wrote to memory of 4928 2128 2024-09-26_0ebb815bbd3f1b249d4a86d18e5f064b_darkside.exe D802.tmp PID 2128 wrote to memory of 4928 2128 2024-09-26_0ebb815bbd3f1b249d4a86d18e5f064b_darkside.exe D802.tmp PID 2128 wrote to memory of 4928 2128 2024-09-26_0ebb815bbd3f1b249d4a86d18e5f064b_darkside.exe D802.tmp PID 2128 wrote to memory of 4928 2128 2024-09-26_0ebb815bbd3f1b249d4a86d18e5f064b_darkside.exe D802.tmp PID 4928 wrote to memory of 2992 4928 D802.tmp cmd.exe PID 4928 wrote to memory of 2992 4928 D802.tmp cmd.exe PID 4928 wrote to memory of 2992 4928 D802.tmp cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-09-26_0ebb815bbd3f1b249d4a86d18e5f064b_darkside.exe"C:\Users\Admin\AppData\Local\Temp\2024-09-26_0ebb815bbd3f1b249d4a86d18e5f064b_darkside.exe"1⤵
- Drops desktop.ini file(s)
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2128 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
- Drops file in System32 directory
PID:4504
-
-
C:\ProgramData\D802.tmp"C:\ProgramData\D802.tmp"2⤵
- Checks computer location settings
- Deletes itself
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:4928 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\D802.tmp >> NUL3⤵
- System Location Discovery: System Language Discovery
PID:2992
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc1⤵PID:4740
-
C:\Windows\system32\printfilterpipelinesvc.exeC:\Windows\system32\printfilterpipelinesvc.exe -Embedding1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3832 -
C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE/insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{A35AD049-2C80-41D7-9634-B9327B036FC3}.xps" 1337178623891600002⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4760
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
129B
MD552f273f3fa372d95fbb4756f56759ec9
SHA14bd27bc0e3b2d6a5ddd0d958a251c4a31680cff0
SHA25669512b5fe0851f9255b51a3cd4be070fc0e6a6ff2b1dad888efbaa0b106ba3c2
SHA512ede3b197c7f87c551ac29e93dee4a0970d5efa858537b833af5efd5615be64d30c4c3e630d991d484e6ce17a22fadcfd95bc8ab20933e88e9e8ca1861f532e49
-
Filesize
14KB
MD5294e9f64cb1642dd89229fff0592856b
SHA197b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf
-
Filesize
147KB
MD535d5887a0deb21c8f40cc8dcdfb25ac7
SHA110a87034b8923fff695b3e09adfb7895479c0571
SHA256781237ded944e806a09a77d3fec1426885146933110580f67250cfbda6763750
SHA5127e7bd4f4fd27474ee786e7070a134404977808789b57bd58c61f3e05067dbcf554dd4662757f8e17e628c06e67b312bc2cc4204641fae7642ce06dacb85ddeab
-
Filesize
4KB
MD52170c4f8475696642a5c71e4c32a6188
SHA1520c50e1efd9c346ddad381f06b179cde29c0d37
SHA256a376bffcb8d792b98e215828ca1fa992bb53b6c893853ea1e34330f48b77da09
SHA512fad92e6b58c6b5d3c6ee880c85d3b78fd5c5a10de7e9e8e536053b42fb6fc5a8acc3c0f9c283cb7beadcb5ea5b2e2ffb2bd9562ff9cdfdc347326cf513cdc870
-
Filesize
4KB
MD58ec8828c09340ed64801d79f111cdb58
SHA11c469668489d50d46ebb002a4044a353b195443c
SHA25603c2228e7328afa06e136c74ab41c3de26b9a2ba0b78c4e59f9159a36a1b07a2
SHA5129cb3f421cfcad36093e0aed8229ebd853363ce152c509ab9ad433c75fb17f85770b8b515d8cd739d2aea6f7c8673c1f4a0651a9a8f5595948d1ab7f43a888831
-
Filesize
1KB
MD5194200178a1b5be9df886d8b4820dc97
SHA16241b893856c6ff3b43ab900f06a1d34d52b23ee
SHA25650f815a145695bc049ba880c4583dc3417a29b8a94613918ebefb0e5be16eb75
SHA512c67d782579620c8438b4557b0f6a2c806880eba210ac034d2b46189bae7aea167c871582ce00adead3cd6341c5240cb6f820318e91d58a909550106ad6eba9bc
-
Filesize
129B
MD5ff71ccc7cc8754c0e38539c5d089cf47
SHA1648d303eb3adb0e2317021d64176a950d8bb4c2f
SHA2562d1edd60537317858a1bb31869460414b1a6c23abf36205edcdea9027ed1b0c7
SHA5129a583efd788bd31f891baada72cbeab0f5d48e77d606edf149f0905a7c79d792a1f4470d4b9a85c970509951160539199528c1e835460535316c476bf87c6c58